OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Matthew Murphy (mattmurphykc.rr.com)
Date: Sun Apr 21 2002 - 10:16:54 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

        vqServer is a Windows web server written in Java. It is an innovative
    product, with support internally for Servlets, and external support for many
    kinds of CGI, (EXE, Perl, ...)

        However, some of the examples shipped in a default configuration of
    vqServer contain multiple cross-site scripting vulnerabilities. In one
    case, it is possible to create a cookie-based(?) attack that persists
    forever for a specific IP address. This could be used to attack the target
    via "Cookie Scripting" bugs in many known browsers.

    Example:

    (Requires Perl Interpreter)

    http://localhost/cgi/vq/demos/respond.pl?>alert("I%20should%20not%20b
    e%20able%20to%20do%20this!!!")</SCRIPT>